Issue metadata
Sign in to add a comment
|
False sense of security of the new verbose indicator ("Secure | www.website.com") |
||||||||||||||||||||||
Issue description
I know that this is a extremely delicate area. Just trying to bring my very humble opinion here, let's see how it goes.
TL;DR I think that the new verbose security indicator for NON EV-SSL ("Secure | www.address.com" in the omnibox) can give a false sense of security to the user.
I was a bit surprised to realize that my blog [1] shows as "Secure". Yes I use TLS but honestly I got that certificate in ~30 seconds with letsencrypt.
I could have registered www.backofamerica.com (note the deliberate typo) obtained a SSL certificate, make the UI look like a real bank website and that would still show as "Secure", while the real message here should have been "you are securely connected to a phishing website".
I believe that the information we are trying to convey is that the "connection" is secure, but we can't possibly say that about the site being visited. I'm not sure the average user will be able to get this.
IMHO this narrows too much the difference between EV SSL certificates and non-EV.
I am very happy if the omnibox is verbose in case of a non-secure certificate, instead of just changing the color of the padlock.
Showing "Secure" just because the site happens have a certificate IMHO can be misleading.
[1] https://www.bitleaks.net/
,
Sep 15 2016
> It means the person involved paid more money, not the site is safe and reputable. It's not just money. The process for obtaining an EV certificate is stricter. CAs are supposed to establish legal identity and other things. A non-EV certificate, instead, is something that I obtained in 30 seconds via a REST API without any human intervention, just by virtue of having DNS ownership of a domain. I didn't have to prove my identity and I could have bought my domain and host in a totally anonymous way.
,
Sep 15 2016
My core point was, whether we agree or not about EV vs. non-EV, the current change is, to me, not really a step towards the world we want to end up in.
,
Sep 15 2016
Thank you for the feedback. This is something that we've been discussing extensively during the project rollout. Many of us have the same concerns, but haven't been able to come up with a better plan. We need to provide some short, translateable phrase that explains what HTTPS and the green lock mean. Options like "encrypted" fare poorly because no one knows what that means. We do plan to eventually remove the "Secure" badging for HTTPS and transition it to the "neutral" state, once HTTP is affirmatively marked as non-secure everywhere. In the meantime, we are stuck in this awkward place.
,
Sep 15 2016
Ok, I imagined that this was not something that just "happened". Thanks for the explanation, honestly I don't have a better proposal either other than: just leave the green padlock for non-EV sites. Looking forward for the day where non-https sites will flash red.
,
Oct 19 2016
,
Nov 24 2016
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by pkasting@chromium.org
, Sep 15 2016